What is the recommended way of attaching unique ID into HTML table rows?

Question

We have a JSP page and it has a table like below

enter image description here

We load the data into this table using a JDBC Query. Now, please consider the below.

Each row display the data of a one single person.
Each person has a unique ID called idPerson

Now, we need to track which row contains the data belongs to which person. To do that, we have to "attach" the idPerson to the rows somehow. We found the below way of doing that.

Create a "hidden text box" for each row and set idPerson into its value or id attribute.

However not sure how secure this method is, or whether someone can simply edit the HTML from browser and hack in.

What is the recommended way of doing this?

score 1 · Accepted Answer · answered Jan 29 '15 at 04:52

1

Your approach can change to use a proper hidden field: <input type="hidden />. Now, your concern is about security:

not sure how secure this method is, or whether someone can simply edit the HTML from browser and hack in

This id without a context is useless for attackers. Think about it: what's the real value of id=1? You cannot do anything valuable with this. You can add security in other parts of your web application:

Use https to secure the communication between client and server.
Validate if the user is authenticated and authorized to access to this view.
Validate if the user has authorization to modify the fields being displayed.
Validate if the user has authorization to send the data for the fields being sent to the server.
Etc...

Apart of that, there's no problem on doing this.

answered Jan 29 '15 at 04:52

Luiggi Mendoza

85,076
16
154
332

Thanks for the reply. Once the row or name of a person is clicked, how can we retrieve this value? At the moment we thought of adding another column, adding a button and attaching the `isPerson` into the button `id`. Any idea please? – PeakGen Jan 29 '15 at 04:57
Send the id in the query string e.g. `Edit` – Luiggi Mendoza Jan 29 '15 at 04:59
Thanks. So we can get the `personId` from Servlet sessions? Like `request.getParameter("personId");` ? – PeakGen Jan 29 '15 at 05:04
That's request parameter, it's not session. Seems like you have a bigger problem: understand how JSP and Servlets work. But to answer to your question: yes, that will do. Also, you should handle the cases when `id` cannot be parsed into an `int` or the `int` value doesn't exist in database. – Luiggi Mendoza Jan 29 '15 at 05:05
Yes, request parameter, not the session,. sorry. We add that into the session later... – PeakGen Jan 29 '15 at 05:08
Your last comment makes my idea stronger: you **need to** understand how JSP and Servlets work. Not everything should be stored in session, specially this kind of data. You can read more about scopes in Java Web applications here: [How to pass parameter to jsp:include via c:set? What are the scopes of the variables in JSP?](http://stackoverflow.com/q/16619015/1065197) – Luiggi Mendoza Jan 29 '15 at 05:10
OK, but how can I set the parameter value into `` wen the link/button is clicked? – PeakGen Jan 29 '15 at 05:36
`` is performed server side. Clicking a button is client side. You need your button to call a URL (either using an `` tag like @LuiggiMendoza mentioned above, or use ` – Kevin Day Jan 29 '15 at 06:05

What is the recommended way of attaching unique ID into HTML table rows?

1 Answers1